I see lots of people claim virus scanners are unnecessary on a linux server. But if this server accepts files uploaded from users (and lets others download them), does it become worth it to scan the files when they are uploaded on the server?

4 Answers
4

In fact what can be an issue, and what will be an issue is going to be your web service. Apache, PHP, and any web software that you ran will all likely have some form of exploits or vulnerability, even if nobody knows it yet. All it takes is one exploit and bam you have someone accessing your whole system.

While the risk of a virus is definitely low while running a Linux Server, it's not zero. Any server should have some form of firewall and anti-virus for the one chance that something manages to get through.

Now of course, you still want to take all the precautions you can. Ensuring that the directory can't be listed, ensuring that the file permissions are read-only for anonymous actions, parsing the files for only the supported file types, etc... are all things that can help reduce the risk of attack.

This is unrelated to AV software on the server, which would be used for scanning files uploaded by users for other users to download, or similar. It would not be used for scanning programs to be run on the server, since you're not running random third-party programs on the server.
–
R..Mar 16 '14 at 18:33

Virus scanners for Linux look for Windows viruses. The logic is that your Linux server is acting as a file-storage location for users who are running Windows, and therefore scanning for Windows viruses will help protect your users.

The concept of a virus implies a user at an interactive session. Someone opening email in Outlook or documents in Word, or running programs they received in an email. A virus implies a human element. Servers don't (or shouldn't) allow reading emails and browsing websites. Instead, attacks against servers are fully automated; no human required. They call that a "worm" rather than a "virus".

Worms are a concern on Linux. But protecting your server from that type of threat works differently. Protecting users from viruses requires something stopping users from doing things they shouldn't. Hence the "anti-virus". protecting servers from worms and similar exploits involves fixing vulnerable software. If something is exploitable on your server, then the thing needs to be fixed.

In other words, you don't watch inbound files checking to see if any will hurt you if you run them, because you never run them. If you do run code delivered to you by someone on the Internet, then that is your problem. To fix the problem, you remove or fix the thing that's behaving dangerously.

So, for example, a vulnerable Wordpress plugin on Linux is vaguely analogous to a vulnerable Microsoft Office installation on Windows. On the Windows desktop, you carefully examine all inbound Microsoft Office documents, checking to see if any will exploit the vulnerability in Office. But on the Linux server, you just remove or patch your Wordpress plugin and be done with it. Instead of keeping an antivirus up-to-date, you're supposed to keep your server up-to-date.

And on the other hand, yes.

Now, it turns out that there is something called a Web Application Firewall, which is surprisingly similar to the antivirus concept, but applied to websites instead of humans.

A WAF is built on the idea of protecting vulnerable sites from exploit much the same way as an antivirus tries to protect vulnerable desktops. It even uses roughly the same technique (looking for and blocking certain patterns). But while all antivirus products err heavily on the side of avoiding false-positives, a WAF can be configured to be so permissive as to be useless, or so restrictive as to break your site.

Your particular installation should be very carefully tailored to match your given website. It takes work, and time, and lots of patience. But there should be a local maximum that gives you reasonable protection against the vulnerabilities you don't know are there, while still maintaining a working site.

Though be warned, the more websites you have on a given server, the more difficult it becomes to tune your security configuration. On general-purpose shared-hosting servers, this type of solution is all but completely unworkable because of the false-positive rate. In other words, your mileage might vary.

If I upload a Virus infected file to any server - Windows, Linux, Mac OS X, *BSD - that doesn't do anything. It's just a file sitting in a folder.

Viruses become a problem in the moment someone executes them. If the upload process has a bug that allows me to put files in a directory where something executes them, then that's a problem.

But a far bigger problem is that once the file is in the network, someone might pick them up and run them. As long as they are in the uploads folder, they are practically harmless, but if someone on another machine inside the company then downloads them to their machine and runs it, you're obviously screwed.

In theory, a virus scanner on the users machine would be enough, but why trust that hundreds or even thousands of computers have their virus scanners up-to-date, actually running (some people might have admin rights and disable the virus scanner e.g. when they are developing internal apps and need to not mess with the debugger)? And who knows where else that file is now? If you can already scan the file at the moment it comes in and only release it then, why not?

A (somewhat flawed) analogy is US Immigration: Even though there are tons of police officers that could catch people without a valid Visa/I-94, there are still Immigration Controls at the airports to check passengers that just landed. Why not just save that money? Because it's far easier and much more likely to catch offenders right there at the source.

If files are stored on a server, they are often used for automatic or manual processing. Depending on the file type, this can be abused to either inject malicious executable code (macros for instance), or trigger vulnerabilities, such as buffer overflow when handling the file. Also, any accepted input from users is always a security risk and should be handled with care. Meaning it must be sanitized and validated. AV is a part of that.